website risk assessment/risk management

Are there any common risks that can be associated with a company website - we need to do a risk assessment to ensure we have plans/controls/processes in place for all common risks associated with a companies website - main ones I could think of were effective content management (e.g. no broken links, up to date information, compliant with accessibility standards for all user groups) to reduce the risk of customer dissatisfaction/reputational damage, availability, e.g. controls for minimising downtime for hardware failure etc, security, e.g. compromise of site/server etc. I suppose performance, e.g. ensure suitable platform/hardware could be another risk.
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
Keep the web site outside the corporate network proper, in its own DMZ.  Better, co-host the web site or put it on a commercial hosting server so that it's not physically associated with your corporate LAN at all.

Up-to-date backups, which depends on the amount of risk you are willing to assume.  This might mean monthly, weekly, daily or even shorter intervals.

In a one-server environment, at least one warm-redundant server so one can take over immediately on failure of the primary.  In a multiple-server environment, continuous consistency checking between the servers so that any infected machine can be taken down quickly.

Hire a "gray hat" intrusion team periodically and have them attempt to disrupt the server operation.

Protection against DDoS.  You'll run into it eventually, best to address it right from the beginning.

Automatic IP lockout of troublesome IP blocks and individual addresses.

And so much more.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Baseline controls should address minimally the OWASP top vulnerabilities esp the injection attacks like XSS, SQLi, Data exposure and use of vulnerable component as mentioned on CMS.
https://www.owasp.org/index.php/Top_10-2017_Top_10
There are also the high impact web attack as shared by expert like DDOS at network and application level (see link for further assessment) and not forgetting the Web defacement (which may not be just visual changes but injected files stealthy into the server).
https://www.experts-exchange.com/articles/26039/Going-for-effective-DDoS-mitigation-measures.html
Also good to take a "reverse" view in event the web system lacks these basic control or checks

  1. Input and data validation (injection)
  2. Authentication & Authorization (unauthorized access)
  3. Configuration management (unhardened)
  4. Sensitive data (leakage)
  5. Session management (hijacking)
  6. Cryptography (tamper & intercept)
  7. Parameter manipulation (corruption I/p)
  8. Exception management (fingerprint state)
  9. Auditing and logging (delay detection)
0
Dr. KlahnPrincipal Software EngineerCommented:
1
btanExec ConsultantCommented:
For author advice
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.